Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

LURHQ Security Services - Passion. Expertise. Trust. LURHQ has been exemplifying these attributes for over 10 years to form a true security partnership with each of our Managed Security and Consulting clients. Download our whitepaper "Choosing an Effective Security Services Partner" to learn why these attributes are critical for a successful services partnership.http://www.sans.org/info.php?id=1236

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.http://www.sans.org/index.php

TOP OF THE NEWS

Bill Revamps Veterans Affairs Security (18 July 2006)

The House Veterans Affairs Committee is pushing forward a new bill that would make the VA CIO an Undersecretary, giving him status equal to the other departmental leaders. It also creates another position, Undersecretary for Information Security. Additionally, it details response to data breaches, risk analysis and notification and credit monitoring services for those affected. -http://www.gcn.com/online/vol1_no1/41380-1.html

The 2006 Deloitte Global Security Survey reports a surge in the number of security attacks targeting large financial institutions over the past year. Phishing and pharming accounted for more than half (51%) of external attacks, followed by spyware/malware utilization (48%). Attacks are becoming more numerous and more sophisticated. -http://www.scoop.co.nz/stories/BU0607/S00302.htm

THE REST OF THE WEEK'S NEWS

GOVERNMENT CYBER SECURITY, STANDARDS, POLICY & LEGAL

UK Government Looks at Strengthening Anti-Spam Law (July 18 2006)

The UK department of Trade and Industry is considering strengthening its Privacy and Electronic Communications Regulations antispam legislation introduced in 2003. A loophole in the law currently limits ability to prosecute people sending unsolicited junk e-mails to businesses. -http://management.silicon.com/government/0,39024677,39160496,00.htm

One day after announcing the July patches that fixed 18 Microsoft security flaws, Microsoft told its users about a flaw in PowerPoint that is being exploited now in targeted cyberattacks. The flaw allows an attacker to gain complete control over a vulnerable PC if its user opens a malicious file. A patch for the PowerPoint vulnerability is due out Aug 8. -http://news.com.com/Microsoft+to+plug+PowerPoint+hole/2100-1002_3-6095181.html[Editor's Note (Boeckman): Since most businesses have become dependant on tools like Powerpoint, I would say the making the entire world wait so long for the patch is somewhat irresponsible. ]

Vishing - Criminals Exploit VOIP Phone Calls (July 18 2006)

Criminals are sending emails asking people to call an 800 number where their personal information is taken through touch-tone dialing. The technique has been dubbed "Vishing" because it combines email requests with VOIP phone services that can appear to be in any city, regardless of where the criminals are located. Another scam uses only telephones - bulk dialing, warning of fraudulent credit card use, and then requesting credit card and security code information. Again effectiveness of the attack relies on the VOIP capability allowing the call to appear to come from any city. -http://news.bbc.co.uk/2/hi/technology/5187518.stm[Editor's Note (Northcutt): While it is certainly true that just about anyone can sign up for a VOIP account like skype and that it is possible to spoof caller ID, this is not a technology based scam; this is a lack-of-awareness scam. If someone calls you, or leaves you a number to call them, that is not a good reason to give them your personal details about your credit card and bank account. Further, if your bank issued your credit card they certainly already know the security code on the back of the card. This would make a good awareness Tip of the Day: If anyone ever contacts you about your credit card, thank them, hang up, and call the number on the back of your credit card. ]

COMPROMISES & BREACHES

A Melbourne hospital is sending out sensitive health information as unencrypted e-mail, following a decision by the hospital that the benefits of rapid communication outweigh the risks to patient confidentiality. Doctors are complaining, but other doctors find using encrypted email too difficult to use. -http://australianit.news.com.au/articles/0,7204,19822430%5E15306%5E%5Enbv%5E,00.html[Editor's Note (Schultz): Encryption is indeed a double-edged sword. Its value in protection sensitive information from unauthorized disclosure is indisputable, but encryption programs are too often user-hostile, and key management is frequently grossly inadequate. (Honan): Ah yes, the old "security makes things harder so lets ignore it" argument. Just because something is difficult does not mean it should not be done. How much harder will things be for the hospital, not to mention the patients concerned, if sensitive patient data becomes exposed as a result of doing things the easy way? ]

STATISTICS, STUDIES & SURVEYS

Eighty Percent Of New Malware Defeats Antivirus (July 19 2006)

The Australian Computer Emergency Response Team (AusCERT) recently reported that popular desktop antivirus applications miss 80% of new viruses and malware. AusCERT general manager Graham Ingram said that most PCs are protected by "a piece of software that is not working." -http://zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm[Editor's Note (Northcutt): To be sure, there are significant problems facing the antivirus/antispyware companies. However, I expect the experts will start weighing in over the next few days and we will find 80% was a stretch otherwise all of our computers would be defunct by now. Here are two links to consider. The first one is spycar. Early results from this test suite showed significant problems with anti-spyware software, but the vendors are improving rapidly; that is why tools like this are so valuable. The second is a bit of an older story, but I think it adds balance to the discussion. Enjoy: -http://www.spycar.org/Welcome%20to%20Spycar.html-http://www.informationweek.com/story/showArticle.jhtml?articleID=174907285(Tan and Grefer): Anti-virus scanners typically rely on signatures to detect malware. Until a piece of malware is reported and a corresponding virus signature created, it will remain undetected. Using custom or new packing method can also evade signature based anti-virus scanners. Although heuristic scanning is available, it cannot be configured, in most cases, to find new malware while avoiding false alarms. The high failure rate could also mean that attacks are now more targeted. Attacker intent has shifted away from fame and toward making money. Virus writers have been careful to create malware that will not attract attention. ]

MISCELLANEOUS

Vulnerability Auctions Killing Responsible Disclosure (July 19 2006)

Selling vulnerability research to the highest bidder instead of disclosing them responsibly to the affected vendor is a rising trend. Observers believe that more researchers will sell their research as demand and pay rates increase. One person asked rhetorically, "If I have a choice between a nice mention from Microsoft for responsible disclosure, or paying off my mortgage, which one do I choose?" -http://zdnet.com.au/news/security/soa/Vulnerability_auctions_killing_responsible_disclosure/0,2000061744,39263952,00.htm[Editor's Note (Northcutt): This has been going on for a very long time of course, but what is changing is that it is getting more organized and more visible. And it isn't just hackers, security companies are also bidding for these vulnerabilities. Here are a couple of interesting links including a blog from 2005 and story about an auction on Ebay that was shut down: -http://www.zerodayinitiative.com/-http://www.securityfocus.com/news/11363-http://www.matasano.com/log/2005/12/phreakonomics.html(Schultz): The trend of vulnerability information being for sale to the highest bidder will only get worse over time. Trying to suppress the public disclosure of new vulnerabilities through various methods has not proven very successful, and money is a powerful motivator. The only real solution is for vendors to eliminate bugs in their products in the first place through use of systematic software development methodologies. ]The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/